Promote the provenance field in status

Fixes #6309. Prior, the `provenance` field in status was gated by the dedicated feature flag named `enable-provenance-in-status`. This PR moves the field out of the feature flag. Signed-off-by: Chuang Wang <chuangw@google.com>
tektoncd · May 19, 2023 · 1e611c7 · 1e611c7
1 parent 5abf7c2
commit 1e611c7
Show file tree

Hide file tree

Showing 16 changed files with 353 additions and 101 deletions.
diff --git a/config/config-feature-flags.yaml b/config/config-feature-flags.yaml
@@ -85,7 +85,7 @@ data:
  # and PipelineRun status. This field contains metadata about resources used
  # in the TaskRun/PipelineRun such as the source from where a remote Task/Pipeline
  # definition was fetched.
- enable-provenance-in-status: "false"
+ enable-provenance-in-status: "true"
  # Setting this flag will determine how Tekton pipelines will handle non-falsifiable provenance.
  # If set to "spire", then SPIRE will be used to ensure non-falsifiable provenance.
  # If set to "none", then Tekton will not have non-falsifiable provenance.

diff --git a/docs/additional-configs.md b/docs/additional-configs.md
@@ -245,10 +245,11 @@ Defaults to "ignore".
 
 - `results-from`: set this flag to "termination-message" to use the container's termination message to fetch results from. This is the default method of extracting results. Set it to "sidecar-logs" to enable use of a results sidecar logs to extract results instead of termination message.
 
-- `enable-provenance-in-status`: set this flag to "true" to enable recording
+- `enable-provenance-in-status`: Set this flag to `"true"` to enable populating
  the `provenance` field in `TaskRun` and `PipelineRun` status. The `provenance`
  field contains metadata about resources used in the TaskRun/PipelineRun such as the
- source from where a remote Task/Pipeline definition was fetched.
+ source from where a remote Task/Pipeline definition was fetched. By default, this is set to `true`.
+ To disable populating this field, set this flag to `"false"`.
 
 For example:
 
@@ -284,7 +285,6 @@ Features currently in "alpha" are:
 | [Task-level Resource Requirements](compute-resources.md#task-level-compute-resources-configuration) | [TEP-0104](https://github.com/tektoncd/community/blob/main/teps/0104-tasklevel-resource-requirements.md) | [v0.39.0](https://github.com/tektoncd/pipeline/releases/tag/v0.39.0) | |
 | [Object Params and Results](pipelineruns.md#specifying-parameters) | [TEP-0075](https://github.com/tektoncd/community/blob/main/teps/0075-object-param-and-result-types.md) | [v0.38.0](https://github.com/tektoncd/pipeline/releases/tag/v0.38.0) | | |
 | [Trusted Resources](./trusted-resources.md) | [TEP-0091](https://github.com/tektoncd/community/blob/main/teps/0091-trusted-resources.md) | N/A | `trusted-resources-verification-no-match-policy` |
-| [`Provenance` field in Status](pipeline-api.md#provenance) | [issue#5550](https://github.com/tektoncd/pipeline/issues/5550) | N/A | `enable-provenance-in-status` |
 | [Larger Results via Sidecar Logs](#enabling-larger-results-using-sidecar-logs) | [TEP-0127](https://github.com/tektoncd/community/blob/main/teps/0127-larger-results-via-sidecar-logs.md) | [v0.43.0](https://github.com/tektoncd/pipeline/releases/tag/v0.43.0) | `results-from` |
 | [Configure Default Resolver](./resolution.md#configuring-built-in-resolvers) | [TEP-0133](https://github.com/tektoncd/community/blob/main/teps/0133-configure-default-resolver.md) | N/A | |
 
@@ -304,7 +304,7 @@ Features currently in "beta" are:
 | [Array Results and Array Indexing](pipelineruns.md#specifying-parameters) | [TEP-0076](https://github.com/tektoncd/community/blob/main/teps/0076-array-result-types.md) | [v0.38.0](https://github.com/tektoncd/pipeline/releases/tag/v0.38.0) | [v0.45.0](https://github.com/tektoncd/pipeline/releases/tag/v0.45.0) | |
 | [Object Parameters and Results](pipelineruns.md#specifying-parameters) | [TEP-0075](https://github.com/tektoncd/community/blob/main/teps/0075-object-param-and-result-types.md) | [v0.46.0](https://github.com/tektoncd/pipeline/releases/tag/v0.46.0) |
 | [Remote Tasks](./taskruns.md#remote-tasks) and [Remote Pipelines](./pipelineruns.md#remote-pipelines) | [TEP-0060](https://github.com/tektoncd/community/blob/main/teps/0060-remote-resolution.md) | [v0.41.0](https://github.com/tektoncd/pipeline/releases/tag/v0.41.0) |
-
+| [`Provenance` field in Status](pipeline-api.md#provenance)| [issue#5550](https://github.com/tektoncd/pipeline/issues/5550)| [v0.41.0](https://github.com/tektoncd/pipeline/releases/tag/v0.41.0)| [v0.48.0](https://github.com/tektoncd/pipeline/releases/tag/v0.48.0) | `enable-provenance-in-status`|
 
 ## Enabling larger results using sidecar logs
 

diff --git a/docs/pipelineruns.md b/docs/pipelineruns.md
@@ -1317,7 +1317,9 @@ Your `PipelineRun`'s `status` field can contain the following fields:
  - [`kind`][kubernetes-overview] - Generally either `TaskRun` or `Run`.
  - [`apiVersion`][kubernetes-overview] - The API version for the underlying `TaskRun` or `Run`.
  - [`whenExpressions`](pipelines.md#guard-task-execution-using-when-expressions) - The list of when expressions guarding the execution of this task.
- - `provenance` - Metadata about resources used in the PipelineRun such as the source from where a remote pipeline definition was fetched.
+ - `provenance` - Metadata about the runtime configuration and the resources used in the PipelineRun. The data in the `provenance` field will be recorded into the build provenance by the provenance generator i.e. (Tekton Chains). Currently, there are 2 subfields:
+ - `RefSource`: the source from where a remote pipeline definition was fetched.
+ - `FeatureFlags`: the configuration data of the `feature-flags` configmap.
  - `finallyStartTime`- The time at which the PipelineRun's `finally` Tasks, if any, began
  executing, in [RFC3339](https://tools.ietf.org/html/rfc3339) format.
 

diff --git a/pkg/apis/config/feature_flags.go b/pkg/apis/config/feature_flags.go
@@ -71,7 +71,7 @@ const (
  // DefaultNoMatchPolicyConfig is the default value for "trusted-resources-verification-no-match-policy".
  DefaultNoMatchPolicyConfig = IgnoreNoMatchPolicy
  // DefaultEnableProvenanceInStatus is the default value for "enable-provenance-status".
- DefaultEnableProvenanceInStatus = false
+ DefaultEnableProvenanceInStatus = true
  // DefaultResultExtractionMethod is the default value for ResultExtractionMethod
  DefaultResultExtractionMethod = ResultExtractionMethodTerminationMessage
  // DefaultMaxResultSize is the default value in bytes for the size of a result

diff --git a/pkg/apis/config/feature_flags_test.go b/pkg/apis/config/feature_flags_test.go
@@ -65,9 +65,10 @@ func TestNewFeatureFlagsFromConfigMap(t *testing.T) {
  SendCloudEventsForRuns: true,
  EnforceNonfalsifiability: "spire",
  VerificationNoMatchPolicy: config.FailNoMatchPolicy,
- EnableProvenanceInStatus: true,
+ EnableProvenanceInStatus: false,
  ResultExtractionMethod: "termination-message",
- MaxResultSize: 4096,
+
+ MaxResultSize: 4096,
  },
  fileName: "feature-flags-all-flags-set",
  },
@@ -85,6 +86,7 @@ func TestNewFeatureFlagsFromConfigMap(t *testing.T) {
  RequireGitSSHSecretKnownHosts: config.DefaultRequireGitSSHSecretKnownHosts,
  SendCloudEventsForRuns: config.DefaultSendCloudEventsForRuns,
  VerificationNoMatchPolicy: config.DefaultNoMatchPolicyConfig,
+ EnableProvenanceInStatus: config.DefaultEnableProvenanceInStatus,
  ResultExtractionMethod: config.DefaultResultExtractionMethod,
  MaxResultSize: config.DefaultMaxResultSize,
  },
@@ -102,6 +104,7 @@ func TestNewFeatureFlagsFromConfigMap(t *testing.T) {
  RequireGitSSHSecretKnownHosts: config.DefaultRequireGitSSHSecretKnownHosts,
  SendCloudEventsForRuns: config.DefaultSendCloudEventsForRuns,
  VerificationNoMatchPolicy: config.DefaultNoMatchPolicyConfig,
+ EnableProvenanceInStatus: config.DefaultEnableProvenanceInStatus,
  ResultExtractionMethod: config.DefaultResultExtractionMethod,
  MaxResultSize: config.DefaultMaxResultSize,
  },
@@ -119,6 +122,7 @@ func TestNewFeatureFlagsFromConfigMap(t *testing.T) {
  RequireGitSSHSecretKnownHosts: config.DefaultRequireGitSSHSecretKnownHosts,
  SendCloudEventsForRuns: config.DefaultSendCloudEventsForRuns,
  VerificationNoMatchPolicy: config.DefaultNoMatchPolicyConfig,
+ EnableProvenanceInStatus: config.DefaultEnableProvenanceInStatus,
  ResultExtractionMethod: config.DefaultResultExtractionMethod,
  MaxResultSize: config.DefaultMaxResultSize,
  },
@@ -132,6 +136,7 @@ func TestNewFeatureFlagsFromConfigMap(t *testing.T) {
  VerificationNoMatchPolicy: config.DefaultNoMatchPolicyConfig,
  RunningInEnvWithInjectedSidecars: config.DefaultRunningInEnvWithInjectedSidecars,
  AwaitSidecarReadiness: config.DefaultAwaitSidecarReadiness,
+ EnableProvenanceInStatus: config.DefaultEnableProvenanceInStatus,
  ResultExtractionMethod: config.DefaultResultExtractionMethod,
  MaxResultSize: config.DefaultMaxResultSize,
  },
@@ -143,6 +148,7 @@ func TestNewFeatureFlagsFromConfigMap(t *testing.T) {
  VerificationNoMatchPolicy: config.DefaultNoMatchPolicyConfig,
  RunningInEnvWithInjectedSidecars: config.DefaultRunningInEnvWithInjectedSidecars,
  AwaitSidecarReadiness: config.DefaultAwaitSidecarReadiness,
+ EnableProvenanceInStatus: config.DefaultEnableProvenanceInStatus,
  ResultExtractionMethod: config.ResultExtractionMethodSidecarLogs,
  MaxResultSize: 8192,
  },

diff --git a/pkg/apis/config/testdata/feature-flags-all-flags-set.yaml b/pkg/apis/config/testdata/feature-flags-all-flags-set.yaml
@@ -28,4 +28,4 @@ data:
  send-cloudevents-for-runs: "true"
  enforce-nonfalsifiability: "spire"
  trusted-resources-verification-no-match-policy: "fail"
- enable-provenance-in-status: "true"
+ enable-provenance-in-status: "false"
diff --git a/pkg/apis/pipeline/v1beta1/pipelinerun_conversion_test.go b/pkg/apis/pipeline/v1beta1/pipelinerun_conversion_test.go
@@ -305,14 +305,7 @@ func TestPipelineRunConversion(t *testing.T) {
  URI: "test-uri",
  Digest: map[string]string{"sha256": "digest"},
  },
- FeatureFlags: &config.FeatureFlags{
- RunningInEnvWithInjectedSidecars: config.DefaultRunningInEnvWithInjectedSidecars,
- EnableAPIFields: config.DefaultEnableAPIFields,
- AwaitSidecarReadiness: config.DefaultAwaitSidecarReadiness,
- VerificationNoMatchPolicy: config.DefaultNoMatchPolicyConfig,
- ResultExtractionMethod: config.DefaultResultExtractionMethod,
- MaxResultSize: config.DefaultMaxResultSize,
- },
+ FeatureFlags: config.DefaultFeatureFlags.DeepCopy(),
  },
  },
  },

diff --git a/pkg/apis/pipeline/v1beta1/taskrun_conversion_test.go b/pkg/apis/pipeline/v1beta1/taskrun_conversion_test.go
@@ -237,14 +237,7 @@ func TestTaskRunConversion(t *testing.T) {
  URI: "test-uri",
  Digest: map[string]string{"sha256": "digest"},
  },
- FeatureFlags: &config.FeatureFlags{
- RunningInEnvWithInjectedSidecars: config.DefaultRunningInEnvWithInjectedSidecars,
- EnableAPIFields: config.DefaultEnableAPIFields,
- AwaitSidecarReadiness: config.DefaultAwaitSidecarReadiness,
- VerificationNoMatchPolicy: config.DefaultNoMatchPolicyConfig,
- ResultExtractionMethod: config.DefaultResultExtractionMethod,
- MaxResultSize: config.DefaultMaxResultSize,
- },
+ FeatureFlags: config.DefaultFeatureFlags.DeepCopy(),
  }},
  },
  },